March 3, 2010 | 
Author 
I have had two separate support questions raised because of the Invalid Server Certificate Warning in both Internet Explorer (IE) and Firefox (FF) this week, so I thought I’d post a brief explanation about this issue.
From time-to-time, you may receive one of the following Server Certificate warnings or error message, as some call it.
(Click to view larger image)
The above graphic is what you will see if you are using Internet Explorer.
(Click to view larger image)
The above graphic is what you will see if you are using Firefox.
(Click to view larger image)
The above graphic is what you will see if you are using Google Chrome.
I have blurred out the clients website I was visiting to get this image.
(Click to view larger image)
The above graphic is what you will see if you are using Apple Safari.
I have blurred out the clients website I was visiting to get this image.
Why does this happen?
It happens because the security certificate – the code that makes the HTTP an HTTPS (or secure connection) has been self-signed and has not been issued by a certification authority such as Thawte, Verisign, and so forth.
Where does it happen?
It should only happen when you are logging into your own secure e-mail client on your web hosting site, or when you try to access your control panel on your web hosts site.
When should I NOT see this?
You should NEVER see this when you are logging into:
- Any financial site, as in your bank, trading accounts, insurance, credit card institution or other such sites.
- Any online shopping site.
- Any site where you are required to exchange confidential information such as banks, credit bureaus, stock brokerage, and so on.
Why does my web host do this?
Certificates from a certifying authority is costly especially for hosting companies. Many hosts self sign certificates to allow secure access for their customers who want security when accessing their online email or control panel for their hosting accounts.
If I log in to my e-mail or control panel anyway, am I still secure?
You are secure to the level of security that your web host offers. You need to check with them as to the level of encryption they provide.
Keep in mind that the certificate does not guarantee encryption. If the certificate was provided by a third party provider, it only guarantees that the site and the site owner has been verified that they are, who they say they are!
Why is this such an issue?
It’s an issue because of the scammers and phishers that have become rampant on the Internet. The browser providers like Google Chrome, IE, FF, and Safari – to name a few – have included this warning to help you spot a phishing or scammer site more easily.
Can I ignore this warning?
Yes, if you know with CERTAINTY that this is the site you want to go to.
If you have clicked on a link in an email, a Twitter DM, or any other web page link and you see this message, do not proceed! Chances are good it’s a phishing or scam site.
If you have typed in the URL to your webmail or control panel account on your web host, or clicked the link from within your web hosts setup information, then you can proceed safely. In the images that follow, you will see that there is also a button in the Firefox message that will allow you to see the actual self-signed certificate to make sure you are at your web hosts server.
How can I stop this error message?
If you are getting this error message when you try to login to your web host control panel or web mail on your web host, you can add a permanent exception by accepting the self-signed certificate.
In most browsers, you can click on a button to see the actual self-signed certificate and verify it’s your web host. The following is an example of a self-signed certificate on a LunarPages server.
(Click to view larger image)
In Firefox, it’s a slightly different behavior. You have to click the arrow next to the second line item to get to view the certificate or accept it.
(Click to view larger image)
(Click to view larger image)
Remember, this is normal behavior if you are signing in to your web host email or control panel and neither you, nor your web host have purchased a certificate from an issuing authority.
It is NOT normal behavior for any sites that you would do business with like shops, financial and investment institutions, and other such businesses.
I hope this helps clear up the matter of Server Certificate warnings.
I am shocked, nay appalled, that I’ve been out doing repairs, maintenance, and just overall visiting with friends and I see that they have NOT updated their JAVA and ADOBE Acrobat or Reader!
It’s not like I don’t have a Weekly Security Digest that tells you to update your Adobe. And it’s not like Java doesn’t pop up with its “Update Available” icon and reminder. But are you updating? NO!
And the two updates are related as there are public exploits available to take advantage of these flaws!
For those of you who are newer to the whole security thing, let me explain what I’m saying to you.
In layman’s terms, a vulnerability is a flaw or hole in a software.
An exploit is a way (method) to use that flaw or hole to gain access to a persons computer.
A public exploit means that a bunch of bad guys posted the way or method (exploit) on a public website where any hacker (bad guy) can see it and use it!
Now, put this all together and if you do not update your Java and Adobe products, you are subject to being a victim to these bad guys who learned how to get into your computer using a method they’ve gotten off a website and using it to access the flaw or hole in your software.
You maybe wondering how they do this?
They are doing it through a specially written (crafted) Adobe PDF. You may download it from a website that you think is legitimate. You might get it in an e-mail. You might even pay for it from a site that’s selling ebooks!
I can hear some of those more advanced readers saying, “WHAT?”
That’s right! Many of these Internet Marketer’s and fly-by-night affiliate marketer’s are using very unsecured sites and web hosts to host their make-on-the-fly websites! It is very easy for someone to hack the site and replace the e-book with a bad one! Think about that!
And if you’re in doubt, and want to see some of the more recent vulnerable (has a hole or flaw) scripts that are out there right now, visit our archive of the most recent Security Digest and view the “Other Vulnerabilities” section! Trust me when I say that this was a very mild week for web applications!
And while you’re looking it over, click the Join Our Mailing List button in the left sidebar toward the top, and sign up for the free month’s trial of the Digest! (There’s other FREE newsletters available there too!)
There is absolutely no reason why you should fall victim to these morons out there! We let you know what you need to do in our Security Digest and we even provide the link to the upgrades, patches, or fixes!
And for those of you who are more technical, or are the guru in your office or family, you’ll find the majority of the information very valuable because we put all the vulnerabilities in one place!
Did I also mention there is a section on current technical recalls?
Sales pitch done.
SIGN UP NOW and Update your JAVA and ADOBE READER NOW!
You can do this yourself!
Posted in Alerts | 
Tags: acrobat, adobe, adobe reader, apple, exploit, exploits, hacker, java, public exploit, reader, Security, vulnerabilities, windows | 
Comments Closed
I came across this title while finishing up this weeks Weekly Security Digest issue. (If you aren’t getting your free month, sign up here! There’s also a sample to view!)
Okay, after that shameless plug for my newsletter, back to the one bug to rule them all title.
This is the title of security advisory that I found while gathering all the vulnerabilites for the weekly summary. To give the author credit, specifically, it’s this one: http://www.g-sec.lu/one-bug-to-rule-them-all.html
What’s interesting enough about this advisory – besides the title that is – is that this one reported bug affects a multitude of products! And not what you would think would be related products – necessarily.
It affects browsers from IE through Google Chrome, Apple Safari, Opera, Firefox, and a few more! But that’s not all, how about throwing in the iPhone, Blackberry, Nokia, and Siemens phones. Okay, so they do use browsers too!
Okay, but then what do all of those have to do with SeaMonkey, Thunderbird, Sony PS3, Nintendo Wii, and the iPod?
Give up?
The answer is Javascript!
Specifically, it’s a programming error in how the systems handle a particular code called the select() method.
Be that as it may, those of you so inclined can click the above link to the advisory and see the Proof of Concept (PoC) and the details of the problem. For those who are not so technically inclined, there is something I want to point out that you should “GET” from this post.
Security isn’t just about your PC, Mac, or Linux computer, laptop, or netbook! Security issues affect everything in our daily life now because programming code is used in nearly every device we use!
Whether you’re talking on the phone, playing Guitar Hero, or the Wii Fit, listening to music on your MP3 player, texting, or surfing – you are using technology that’s been programmed to do what it does.
Isn’t it time you started paying attention to security?
 |
 |
 |
|
||
 |
|
 |
|
||
Join today and receive a FREE copy of our "Why is My PC So Slow?" eBook!
